[ubuntu/impish-updates] libarchive 3.4.3-2ubuntu0.1 (Accepted)

Ubuntu Archive Robot ubuntu-archive-robot at lists.canonical.com
Thu Feb 17 14:28:09 UTC 2022


libarchive (3.4.3-2ubuntu0.1) impish-security; urgency=medium

  * SECURITY UPDATE: extracting a symlink with ACLs modifies ACLs of target
    - debian/patches/CVE-2021-23177.patch: fix handling of symbolic link
      ACLs in libarchive/archive_disk_acl_freebsd.c,
      libarchive/archive_disk_acl_linux.c,
      libarchive/archive_disk_acl_sunos.c.
    - CVE-2021-23177
  * SECURITY UPDATE: symbolic links incorrectly followed
    - debian/patches/CVE-2021-31566-1.patch: do not follow symlinks when
      processing the fixup list in Makefile.am,
      libarchive/archive_write_disk_posix.c,
      libarchive/test/CMakeLists.txt,
      libarchive/test/test_write_disk_fixup.c.
    - debian/patches/CVE-2021-31566-2.patch: never follow symlinks when
      setting file flags on Linux in libarchive/archive_write_disk_posix.c.
    - debian/patches/CVE-2021-31566-3.patch: fix following symlinks when
      processing the fixup list in libarchive/archive_write_disk_posix.c,
      libarchive/test/test_write_disk_fixup.c.
    - debian/patches/CVE-2021-31566-4.patch: fix writing fflags broken in
      8a1bd5c in libarchive/archive_write_disk_posix.c.
    - CVE-2021-31566
  * SECURITY UPDATE: use-after-free in copy_string
    - debian/patches/CVE-2021-36976-1.patch: fixed out of bounds read in
      some files in Makefile.am,
      libarchive/archive_read_support_format_rar5.c,
      libarchive/test/*.
    - debian/patches/CVE-2021-36976-2.patch: fix invalid memory access in
      some files in Makefile.am,
      libarchive/archive_read_support_format_rar5.c,
      libarchive/test/test_read_format_rar5.c, libarchive/test/*.
    - CVE-2021-36976

Date: 2022-02-16 17:59:10.337880+00:00
Changed-By: Marc Deslauriers <marc.deslauriers at canonical.com>
Signed-By: Ubuntu Archive Robot <ubuntu-archive-robot at lists.canonical.com>
https://launchpad.net/ubuntu/+source/libarchive/3.4.3-2ubuntu0.1
-------------- next part --------------
Sorry, changesfile not available.


More information about the impish-changes mailing list